search

ticarpi / jwt_tool

:snake: A toolkit for testing, tweaking and cracking JSON Web Tokens
GNU General Public License v3.0
5.46k stars 670 forks source link

stripping off "=" on line 320 in jwt_tool.py caused invalid payload. #55

Closed sanjayc1 closed 2 years ago

sanjayc1 commented 2 years ago

command used python3 ./jwt_tool.py "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ1c2VybmFtZSI6InRlc3QifQ.GU72t7mfy31jMvyY7hSinJBtAntSqjeuqJa6el2PGPaq36hkZtn8fVo8JEgv7hnEdOHkibVLz9MLUca12yLmbylSxl-Nh2_pMf2s03JBsKs7oIJeBKjj7Pw4lXp1TQQj6ISTwzeBNAUlv4VXJ11G-mPFKwYxTOQg7IX0FxyGMlGbLKoe3TXbw7trXwXevC9O_q_cxHRFMINg9vPAATKI0_PfMJPGBdewILLf1aExd37QhTUts8IE11ak3To8TDnQZ14h14evccnWfVp8sQOFo81Rlp5r1j3WBQnaEsYhVMKuBgW2osceqgFG8ABIYj8eF7vtRzaJUMTVe_dUk0x43A8Meb5Xe2TdyIOkhoQPHTZ3BYxLX4pW_yrjjPSAWSfCAEm07fqYc4tP7IXvZ7rtlGwq_eMoBotGj8KJAI1FqAc1kh6fC0KdQvvAY2XhifJZArCpXsRiyoSdjB5oJVeDlsjyQ4HUcgfn8Yn0sEdC6tqyATIAMMWaGMDb54Iw0NX7F4P2VrCeZ75A3K-patffZFxyssqeS-rMYkbn8O7lXfaxoe8us-IKN5wCwNBp82CSU0qR8U2iWU4Or22kNBRFuVV5sr2huMkIf1dodVmpodAExfiwEs28DCkKf9y5uV6fHJohX1Bo31JdghbsgPufM_z3GD1HSfBaMUpUSO6vJME" -v -X k -I -pc username -pv admin -pk ../public.pem

new payload generated

eyJ1c2VybmFtZSI6ImFkbWluIn0 with '=' stripped off. I understand that during transport = can be stripped off and but then inserted before decoding. Some server APIs processing jwt don't do that, hence it causes the failure. I would request not to strip off "=" signs to be safe.

I spent several hours trouble shooting this.

echo eyJ1c2VybmFtZSI6ImFkbWluIn0 | base64 -d. ( this causes the } in payload to strip off {"username":"admin%
------- correct echo eyJ1c2VybmFtZSI6ImFkbWluIn0= | base64 -d {"username":"admin"}%

ticarpi commented 2 years ago

Thanks for logging this. These issues can be annoying to debug when testing an API.

The reason for stripping the padding ("=" chars) is that the JWT spec (RFC7519) defines the base64 scheme as:

Base64 encoding using the URL- and filename-safe character set defined in Section 5 of RFC 4648 [RFC4648], with all trailing '=' characters omitted

I do often see applications and APIs that malform their JWTs by not following the spec. In these cases they often fail to parse properly-constructed tokens.

I long time ago I decided that jwt_tool shouldn't try to support these edge-cases as they are rare and too varied to reliably cover without considerable effort.

You can of course tweak the code locally in these cases, or write a script/regex to add in the padding.